Merge branch 'release/2.6' of github.com:OpenVPN/openvpn-build into m…

…erge-2.6

* 'release/2.6' of github.com:OpenVPN/openvpn-build: (27 commits)
  Prepare release of 2.6.9-I001
  MSI: set proper ACL when installing to custom directory
  MSI: disable PRODUCTDIR modification on upgrade
  ...

.github/workflows/build.yaml

@@ -29,19 +29,19 @@ jobs:
           submodules: true
 
       - name: Restore from cache and install vcpkg
-        uses: lukka/run-vcpkg@d42250cb2f1d4b925fe4e8abbdc9753dd3b53056 # v11.3
+        uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
         with:
           vcpkgDirectory: '${{ github.workspace }}/src/vcpkg'
           vcpkgJsonGlob: '**/src/openvpn/contrib/vcpkg-manifests/windows/vcpkg.json'
 
       - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@4865386b66955d11be0abf8c112d0230023e742a # v3.27.9
+        uses: lukka/get-cmake@139aae96315b496d9af1b5e9abe53b15ca7eece8 # v3.28.3
 
       - name: Install rst2html
         run: python -m pip install --upgrade pip docutils
 
       - name: Setup MSVC prompt
-        uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
 
       - name: Install Wix 3.14
         run: |
@@ -77,7 +77,7 @@ jobs:
           echo "DATETIME=${dt}" >> $Env:GITHUB_ENV
 
       - name: Archive artifacts
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: openvpn-master-${{ env.DATETIME }}-${{ env.OPENVPN_COMMIT }}-${{ matrix.arch }}
           path: ${{ github.workspace }}\windows-msi\image\*-${{ matrix.arch }}.msi
@@ -93,7 +93,7 @@ jobs:
 
     steps:
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: arn:aws:iam::217307881341:role/GitHubActions
           role-session-name: githubactions
@@ -107,13 +107,13 @@ jobs:
           path: openvpn-windows-test
 
       - name: Install SSH key for tclient host
-        uses: shimataro/ssh-key-action@38b53cb2f445ea2e0eb8872407e366677c41dbc6 # v2.6.1
+        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
         with:
           key: ${{ secrets.SSH_KEY_FOR_TCLIENT_HOST }}
           known_hosts: unnecessary
 
       - name: Get artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         with:
           path: msi
 
@@ -126,7 +126,7 @@ jobs:
           .\Start-AWSTest.ps1 -SSH_KEY ~/.ssh/id_rsa -MSI_PATH $(Get-ChildItem ../msi/*-amd64/*.msi | select -ExpandProperty FullName)
 
       - name: Archive openvpn logs
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: ${{ always() }}
         with:
           name: t_client_openvpn_logs
@@ -143,7 +143,7 @@ jobs:
         run: sudo apt install knockd
 
       - name: Get artifacts
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
         with:
           path: msi
 
@@ -207,7 +207,7 @@ jobs:
 
       - name: Restore cached chroots
         id: chroots-restore
-        uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache/restore@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             debian-sbuild/chroots
@@ -230,7 +230,7 @@ jobs:
       - name: Save chroots
         if: steps.chroots-restore.outputs.cache-hit != 'true'
         id: chroots-save
-        uses: actions/cache/save@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache/save@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: |
             debian-sbuild/chroots
@@ -247,7 +247,7 @@ jobs:
           sg sbuild ./scripts/build-all.sh
 
       - name: Archive packages
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: openvpn-debian
           path: |

debian-sbuild/openvpn-dco-dkms/changelog-0.2.20231117

@@ -5,4 +5,4 @@ openvpn-dco-dkms (0.2.20231117-debian0) stable; urgency=medium
   * ovpn-dco: warn if peer is dead in ovpn_tcp_read_sock() (Antonio Quartulli, 0613e71)
   * ovpn-dco: fix refcount imbalance upon RX in case of full ring (Antonio Quartulli, 7b7a28f)
 
- -- Yuriy Darnobyt <yuriy.darnobyt@openvpn.net>  Thu, 16 Nov 2023 15:11:55 +0100
+ -- Frank Lichtenheld <frank.lichtenheld@openvpn.net>  Thu, 16 Nov 2023 15:11:55 +0100

debian-sbuild/openvpn/changelog-2.6.9

@@ -0,0 +1,49 @@
+openvpn (2.6.9-debian0) stable; urgency=medium
+
+  * preparing release 2.6.9 (Gert Doering, 6640a10b)
+  * dco-freebsd: dynamically re-allocate buffer if it's too small (Kristof Provost, d8faf568)
+  * documentation: Fixes for previous fixes to --push-peer-info (Frank Lichtenheld, 6bed72d0)
+  * documentation: Update and fix documentation for --push-peer-info (Frank Lichtenheld, 18fb30f7)
+  * README.cmake.md: Document minimum required CMake version for --preset (Frank Lichtenheld, 9ec52461)
+  * --http-proxy-user-pass: allow to specify in either order with --http-proxy (Frank Lichtenheld, 1141e750)
+  * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' (Frank Lichtenheld, 68b00a54)
+  * proxy-options.rst: Add proper documentation for --http-proxy-user-pass (Frank Lichtenheld, 7b1f2009)
+  * Remove conditional text for Apache2 linking exception (Arne Schwabe, 20bc8bd5)
+  * Enable key export with mbed TLS 3.x.y (Max Fillinger, 001950d1)
+  * Disable TLS 1.3 support with mbed TLS (Max Fillinger, 7fa534db)
+  * Update README.mbedtls (Max Fillinger, 1aa2995e)
+  * Add support for mbedtls 3.X.Y (Max Fillinger, 2942ef5d)
+  * NTLM: increase size of phase 2 response we can handle (Frank Lichtenheld, 62d14fcf)
+  * NTLM: add length check to add_security_buffer (Frank Lichtenheld, 7a9670df)
+  * Implement the --tls-export-cert feature (Arne Schwabe, d27cb148)
+  * fix uncrustify complaints about previous patch (Gert Doering, 9fb62e2b)
+  * Fix IPv6 route add/delete message log level (Steffan Karger, 9abf74c9)
+  * Clarify that the tls-crypt-v2-verify has a very limited env set (Arne Schwabe, 322b11ab)
+  * Make it more explicit and visible when pkg-config is not found (Arne Schwabe, d602fc03)
+  * Check PRF availability on initialisation and add --force-tls-key-material-export (Arne Schwabe, b29ada31)
+  * get_default_gateway() HWADDR overhaul (Gert Doering, bfd5b12e)
+  * OpenBSD: repair --show-gateway (Gert Doering, 77376fc5)
+  * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr (Arne Schwabe, 5380fe02)
+  * documentation: improve documentation of --x509-track (Frank Lichtenheld, cbcecdb3)
+  * fix(ssl): init peer_id when init tls_multi (yatta, 6dffbf6a)
+  * Extend the error message when TLS 1.0 PRF fails (Arne Schwabe, cfaf82d5)
+  * tun.c: don't attempt to delete DNS and WINS servers if they're not set (Lev Stipakov, 030afe64)
+  * unit_tests: remove includes for mock_msg.h (Frank Lichtenheld, e2a9c1ba)
+  * Remove superfluous x509_write_pem() (David Sommerseth, 5552391a)
+  * Remove --tls-export-cert (David Sommerseth, 031fe882)
+  * vcpkg-ports/pkcs11-helper: bump to version 1.30 (Marc Becker, 77b2e940)
+  * documentation: remove reference to removed option --show-proxy-settings (Frank Lichtenheld, 8b9a3378)
+  * Remove compat versionhelpers.h and remove cmake/configure check for it (Arne Schwabe, 19bfb702)
+  * Add check for nice in cmake config (Arne Schwabe, cc81f014)
+  * configure.ac: Remove unused AC_TYPE_SIGNAL macro (Frank Lichtenheld, 64703e72)
+  * Add missing check for nl_socket_alloc failure (Arne Schwabe, aa19a6a9)
+  * Fix check_session_buf_not_used using wrong index (Arne Schwabe, 5def8d93)
+  * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway (Arne Schwabe, 3168e1af)
+  * Document tls-exit option mainly as test option (Arne Schwabe, 350bdd85)
+  * GHA: clean up libressl builds with newer libressl (Frank Lichtenheld, 1a6aef37)
+  * Log SSL alerts more prominently (Arne Schwabe, 94cd53c7)
+  * sample-keys: renew for the next 10 years (Frank Lichtenheld, c1a983e8)
+  * Remove unused function prototype crypto_adjust_frame_parameters (Arne Schwabe, d25b408d)
+  * protocol_dump: tls-crypt support (Reynir Björnsson, 0a39d1c1)
+
+ -- Frank Lichtenheld <[email protected]>  Mon, 12 Feb 2024 12:30:06 +0100

release/vars.example

@@ -19,13 +19,13 @@ GIT_AUTHOR="Frank Lichtenheld <[email protected]>"
 WINDOWS_SIGNING_KEY_FP="31DA19926259519C9EA312C71935B13C33FC6E7E"
 
 # Version numbers
-OPENVPN_PREVIOUS_VERSION="${OPENVPN_PREVIOUS_VERSION:-2.6.7}"
+OPENVPN_PREVIOUS_VERSION="${OPENVPN_PREVIOUS_VERSION:-2.6.8}"
 OPENVPN_CURRENT_VERSION="${OPENVPN_CURRENT_VERSION:-2.7_git}"
 OPENVPN_CURRENT_TAG="${OPENVPN_CURRENT_TAG:-HEAD}"
 OPENVPN_PREVIOUS_TAG="refs/tags/v$OPENVPN_PREVIOUS_VERSION"
 
 OPENVPN_GUI_CURRENT_MAJ_VERSION=11
-OPENVPN_GUI_CURRENT_MIN_VERSION=46
+OPENVPN_GUI_CURRENT_MIN_VERSION=47
 OPENVPN_GUI_CURRENT_FULL_VERSION="$OPENVPN_GUI_CURRENT_MAJ_VERSION.$OPENVPN_GUI_CURRENT_MIN_VERSION.0.0"
 OPENVPN_GUI_BRANCH="master"
 

windows-msi/build.wsf

@@ -273,6 +273,7 @@ clean	Cleans intermediate and output files</example>
                                 BuildPath("script", "ActiveSetupCA.js"),
                                 BuildPath("script", "PlapReg.js"),
                                 BuildPath("script", "Service.js"),
+                                BuildPath("script", "ACL.js"),
                                 BuildPath(p.buildPath, "license.txt"),
                                 BuildPath(p.buildPath, "tap-windows6.msm"),
                                 BuildPath(p.buildPath, "wintun.msm"),

windows-msi/gui.wxs

@@ -303,7 +303,7 @@
                     <Subscribe Event="SelectionPathOn" Attribute="Enabled"/>
                 </Control>
                 <Control Id="Browse" Type="PushButton" X="320" Y="230" Width="60" Height="20" Text="Br&amp;owse" TabSkip="no">
-                    <Condition Action="disable">Installed</Condition>
+                    <Condition Action="hide">WIX_UPGRADE_DETECTED</Condition>
                     <Publish Event="SelectionBrowse" Value="BrowsePage">1</Publish>
                 </Control>
                 <Control Id="Reset" Type="PushButton" X="15" Y="265" Width="60" Height="20" Text="&amp;Reset" ToolTip="Resets feature selection to initial state." TabSkip="no">

windows-msi/msi.wxs

@@ -83,13 +83,17 @@
 
         <Binary Id="Service.js" SourceFile="script\Service.js"/>
         <Binary Id="PlapReg.js" SourceFile="script\PlapReg.js"/>
+        <Binary Id="ACL.js" SourceFile="script\ACL.js"/>
 
-        <CustomAction Id="GetInstallDir" BinaryKey="PlapReg.js" JScriptCall="GetInstallDir" />
+        <CustomAction Id="GetInstallDirForPlap" BinaryKey="PlapReg.js" JScriptCall="GetInstallDir" />
         <CustomAction Id="UpdatePlapReg" BinaryKey="PlapReg.js" JScriptCall="UpdatePlapReg" Execute="deferred" Impersonate="no" />
 
         <CustomAction Id="CheckOpenVPNServiceStatus" BinaryKey="Service.js" JScriptCall="CheckOpenVPNServiceStatus" />
         <CustomAction Id="ConfigureOpenVPNService"  BinaryKey="Service.js" JScriptCall="ConfigureOpenVPNService" Execute="deferred" Impersonate="no" />
 
+        <CustomAction Id="GetInstallDirForACL" BinaryKey="ACL.js" JScriptCall="GetInstallDir" Return="check" />
+        <CustomAction Id="SetACL" BinaryKey="ACL.js" JScriptCall="SetACL" Execute="deferred" Impersonate="no" Return="check" />
+
         <!--
             Detect system information
         -->
@@ -101,8 +105,10 @@
             <Custom Action="FindSystemInfo" After="FindRelatedProducts"/>
             <Custom Action="CheckOpenVPNServiceStatus" After="ProcessComponents"/>
             <Custom Action="ConfigureOpenVPNService" After="StartServices">NOT Installed OR REINSTALL</Custom>
-            <Custom Action="GetInstallDir" After="FindRelatedProducts"/>
+            <Custom Action="GetInstallDirForPlap" After="SetProductDirParam"/>
             <Custom Action="UpdatePlapReg" After="InstallFiles"/>
+            <Custom Action="GetInstallDirForACL" After="SetProductDirParam">NOT Installed</Custom>
+            <Custom Action="SetACL" After="InstallFiles">NOT Installed</Custom>
         </InstallExecuteSequence>
         <UI>
             <ProgressText Action="FindSystemInfo">Detecting system information</ProgressText>
@@ -349,7 +355,7 @@
             Action="SetProductDirParam"
             Id="PRODUCTDIR"
             Value="[INSTALLDIR]"
-            Sequence="first">INSTALLDIR AND NOT Installed</SetProperty>
+            Sequence="first">INSTALLDIR AND NOT Installed AND NOT WIX_UPGRADE_DETECTED</SetProperty>
 
 
         <!--